Unsecured Vistaprint database exposed up to 30,000 customers

November 27, 2019

Global e-commerce giant Vistaprint recently left a large customer database exposed on the Internet without any form of encryption, rendering customers' names, email addresses, and contact information visible to third parties.

The large unencrypted and unprotected database owned by Vistaprint and named "migration" was first discovered by security researcher Oliver Hough via the online search engine Shodan on 5th November, following which he alerted the company about the exposure.

According to Tech Crunch which was contacted by Hough concerning the large-scale exposure of customer records, the unencrypted database contained data on thousands of "customer service interactions, such as calls to customer service or chats with an online support agent".

All these customer service interactions were arranged in five tables and not only contained data on detailed interactions between customers of Vistaprint and the company's customer service agents, but also contained large amounts of personally-identifiable information of customers such as names, email addresses, and their contact information.

These details, if accessed by malicious actors, could enable them to carry out identity fraud or to conduct phishing operations aimed at luring victims into sharing their account credentials, financial information, or other details about themselves by masquerading as Vistaprint or some other legitimate organisation.

"Regardless of the number of individuals affected, the type of information exposed leaves Vistaprint's customers vulnerable to identity theft and fraudulent activity. The number of those affected will have an impact on repercussions; Vistaprint may face from data privacy regulation fines," said Anurag Kahol, chief technology officer at Bitglass.

"With GDPR in full effect, we’re beginning to see massive fines levied against companies and CCPA is set to take effect in January 2020 which calls for fines ‘...not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.’ While there might be less damage control, the information is still readily available on the dark web," he added.

The database also contained "information about the customer’s browser and network connection, where they were located, and what operating system they used, and their internet provider," as well as "sensitive information like order numbers and postal tracking numbers," Tech Crunch reported.

Other information found on the database included phone numbers belonging to Vistaprint customer service staff, work email addresses of customers, written transcripts of calls, and internal links to call recordings. Considering that the database contained details of customer interactions that took place in mid-September, it can be assumed that the database was created very recently.

Upon being contacted by Tech Crunch, Vistaprint took the database offline and said that it will carry out an investigation to ascertain reasons for the exposure and will take steps to prevent such exposure from occurring in the future.

"This is unacceptable and should not have happened under any circumstances,” the company said. “We’re currently carrying out a full investigation to understand what happened and how to prevent any future recurrence. At this time, we do not know whether this data has been accessed beyond the security researcher who found it," said a Vistaprint spokesperson.

Organisations must start following best practices for configuration to prevent exposures

News about Vistaprint leaving a customer database exposed on the Internet comes not long after security researchers Bob Diachenko and Vinny Troia discovered a massive unsecured cloud database that contained personal information of up to 1.2 billion people, including names, email addresses, phone numbers, and social media profile information.

Data records in the database included email addresses, member IDs, country of origin, whether the user is an Adobe employee, which Adobe products a user has subscribed to, account creation date, payment status, subscription status, and time since last login.

"Instead of remaining sanguine, it’s time for organisations to face reality and act to secure their data. This starts with following best practices for configuration, something that is widely available for each platform, as well as implementing data-centric security to protect and deidentify data – something that is designed to be analytics friendly and strongly protects the data regardless of what it is stored in, who has possession of it, or whether the system or perimeter is compromised," said Warren Poschman, senior solutions architect at comforte AG.

Following the publication of this article, a Vistaprint spokesman told TEISS in an emailed statement that the data exposure affected less than 30,000 customers out of the company's global customer base of 17 million and that the exposure did not impact any credit or debit card information belonging to customers.

"We can confirm that a Vistaprint internal research database, affecting some customer data became publicly available online. We have already taken the database offline and can confirm that it is no longer accessible. Following an investigation, we concluded that no one outside of Vistaprint accessed the data beyond the security researcher and journalist who found it.

"The database contained information relating to less than 30,000 customers out of our 17 million customers worldwide, including names, email addresses, phone numbers and some customer chat transcripts.

"We have verified that no credit or debit card information was contained within this database. We are continuing to check every relevant customer chat transcript to ensure that no additional financial data was discussed or included during these chats," the spokesman said.

If you are a Vistaprint customer and are concerned about whether the data exposure impacted your personal information, you may contact Vistaprint's customer care team on 866-870-4125 or email them at customerservice@vistaprint.com.

About The Author

Jay Jay is a freelance technology writer for teiss. He has previously written news articles, device reviews and features for Mobile Choice UK website and magazine, as well as writing extensively for SC Magazine UK, Tech Radar, Indian Express, and Android Headlines.